这是我的 nginx 端口 443 的配置:
server {
listen *:443;
server_name site.com;
ssl on;
ssl_protocols SSLv3 TLSv1;
ssl_certificate /www/certs/site.com.crt;
ssl_certificate_key /www/certs/site.com.key;
access_log /var/log/nginx.site.com-access_log;
location ~* .(jpg|jpeg|gif|png|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|tar|wav|bmp|rtf|swf|ico|flv|txt|xml|docx|xlsx)$ {
root /www/site.com/;
index index.html index.php;
access_log off;
expires 30d;
}
location ~ /.ht {
deny all;
}
location / {
proxy_pass http://127.0.0.1:81/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-for $remote_addr;
proxy_set_header Host $host;
proxy_connect_timeout 60;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_redirect off;
proxy_set_header Connection close;
proxy_pass_header Content-Type;
proxy_pass_header Content-Disposition;
proxy_pass_header Content-Length;
}
}
问题 1:为什么要求我输入证书的 PEM 密码?如何在 nginx 配置中输入密码?
178-162-174-212:/usr/bin# service apache2 restart
Restarting web server: apache2.
178-162-174-212:/usr/bin# service nginx restart
Restarting nginx: Enter PEM pass phrase:
Enter PEM pass phrase:
[emerg]: bind() to 188.72.245.198:443 failed (98: Address already in use)
[emerg]: bind() to 188.72.245.198:443 failed (98: Address already in use)
[emerg]: bind() to 188.72.245.198:443 failed (98: Address already in use)
[emerg]: bind() to 188.72.245.198:443 failed (98: Address already in use)
[emerg]: bind() to 188.72.245.198:443 failed (98: Address already in use)
[emerg]: still could not bind()
nginx.
问题2:为什么443端口有冲突呢?
Apache 配置:
NameVirtualHost *:81
Listen 127.0.0.1:81
Listen 999
<IfModule mod_ssl.c>
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
如果我注释掉“Listen 443”这一行,那么 site.com:443 将不起作用。
答案1
您已将 Apache 和 nginx 配置为监听端口 443。
看起来您的意图是让 nginx 控制该端口,因此您需要从 Apache 中删除该配置,然后重新启动两个服务:先重新启动 Apache,然后重新启动 nginx。这应该允许 nginx 绑定到端口 443 并处理这些请求。
至于证书密码,nginx 不支持在配置文件中保存解密私钥的密码(这对他们来说很好;由此授予的模糊性毫无价值)。解密私钥(并确保只有 nginx 正在运行的用户才能读取它):
mv /www/certs/site.com.key /www/certs/site.com.keyold
openssl rsa -in /www/certs/site.com.keyold -out /www/certs/site.com.key